+# 7.6. cipher-list
+# =================
+#
+# Specifies:
+#
+# A list of ciphers to use in TLS handshakes
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# None
+#
+# Effect if unset:
+#
+# A default value is inherited from the TLS library.
+#
+# Notes:
+#
+# This directive allows to specify a non-default list of ciphers
+# to use in TLS handshakes with clients and servers.
+#
+# Ciphers are separated by colons. Which ciphers are supported
+# depends on the TLS library. When using OpenSSL, unsupported
+# ciphers are skipped. When using MbedTLS they are rejected.
+#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |Specifying an unusual cipher list makes |
+# |fingerprinting easier. Note that the default list |
+# |provided by the TLS library may be unusual when |
+# |compared to the one used by modern browsers as well. |
+# +-----------------------------------------------------+
+# Examples:
+#
+# # Explicitly set a couple of ciphers with names used by MbedTLS
+# cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+# TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-DHE-RSA-WITH-AES-256-CCM:\
+# TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+# TLS-DHE-RSA-WITH-AES-128-CCM:\
+# TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+# TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+#
+# # Explicitly set a couple of ciphers with names used by OpenSSL
+# cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+# ECDHE-ECDSA-AES256-GCM-SHA384:\
+# DH-DSS-AES256-GCM-SHA384:\
+# DHE-DSS-AES256-GCM-SHA384:\
+# DH-RSA-AES256-GCM-SHA384:\
+# DHE-RSA-AES256-GCM-SHA384:\
+# ECDH-RSA-AES256-GCM-SHA384:\
+# ECDH-ECDSA-AES256-GCM-SHA384:\
+# ECDHE-RSA-AES128-GCM-SHA256:\
+# ECDHE-ECDSA-AES128-GCM-SHA256:\
+# DH-DSS-AES128-GCM-SHA256:\
+# DHE-DSS-AES128-GCM-SHA256:\
+# DH-RSA-AES128-GCM-SHA256:\
+# DHE-RSA-AES128-GCM-SHA256:\
+# ECDH-RSA-AES128-GCM-SHA256:\
+# ECDH-ECDSA-AES128-GCM-SHA256:\
+# ECDHE-RSA-AES256-GCM-SHA384:\
+# AES128-SHA
+#
+# # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+# cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+#
+#
+# 7.7. trusted-cas-file